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^ | | Abstract 

Device-Independent Quantum Key Distribution (DIQKD) is a formalism that supersedes 
1 traditional quantum key distribution, as its security does not rely on any detailed modelling 

of the internal working of the devices. This strong form of security is possible only using 
, <~| devices producing correlations that violate a Bell inequality. Full security proofs of DIQKD 

have been recently reported, but they tolerate zero or small amounts of noise and are re- 
stricted to protocols based on specific Bell inequalities. Here, we provide a security proof of 
DIQKD that is both more efficient and noise resistant, and also more general as it applies to 
protocols based on arbitrary Bell inequalities and can be adapted to cover supra-quantum 
Q-i eavesdroppers limited by the no-signalling principle only. It requires, however, the extra 

assumption that the adversary does not have a long-term quantum memory, a condition 
that is not a limitation at present since the best existing quantum memories have very short 
coherence times. 
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1 Introduction 



Quantum key distribution is the art of distilling a secret key between two distant parties, Alice 
and Bob, who have access to an untrusted quantum channel pQ. In this scenario, one typically 
assumes that the equipment in Alice and Bob's labs can be trusted, and moreover, that its 
behavior is accurately described by a given theoretical model. Unfortunately this often turns 
out to be a very strong assumption which is not justified in practice [2]. In particular, many 
loopholes can be exploited by an eavesdropper to get around the usual security proofs: for 
instance, the state preparation might be imperfect [3], or the eavesdropper might perform a 
blinding attack to take control of the detectors at a distance [I] . 

One way around such problems consists in exhaustively listing all the potential mismatches 
between the theoretical model and the real implementation and taking care of each one of 
them individually. However, this approach is dubious as it is impossible to be sure that all 
loopholes have really been addressed. Another, more promising, approach is inspired by the 
recent framework of device-independent quantum information processing [5l E] - Here, the idea is 
that if Alice and Bob are able to experimentally violate a Bell inequality [7] , it means that their 
data exhibit intrinsic randomness as well as secrecy 0[9], independently of the internal operation 
of the devices [5j- In the recent years, this framework has been used to prove the security 
of device-independent key distribution [TU [T21 Q3J [HJ [T51 [TBI El US], to certify randomness 
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expansion [2UJ EH [221 123 IM] , self-testing of quantum computers [25] and states [57] , and 
guarantee the presence of entanglement [28j . 

In the present work, we focus on the cryptographic task of key distribution, which has been 
the subject of many very recent developments. Until recently, security proofs were restricted 
to scenarios where Alice and Bob have access to a pair of memoryless devices or n indepen- 
dent pairs of devices, thus ensuring that the measurements inside their own labs were causally 
disconnected [11 j or commuting [13[ 114], This is reminiscent of the notion of collective attacks 
in standard QKD, where some independence assumption is required. Ideally, one would like a 
protocol where only one device is required per party, and for which no assumption is needed 
for the device. This is indeed the motivation for doing device-independent cryptography in the 
first place. 

Recent works have been able to get rid of this assumption. In Ref. [TJ], the authors intro- 
duced a protocol based on the chained Bell inequality [29] and established its security against 
arbitrary adversaries. The protocol, however, only produces a single secret bit and does not tol- 
erate any noise. In Ref. [16} 117]. the authors proved a strong converse of Tsirelson's optimality 
result for the Clauser-Horne-Shimony-Holt (CHSH) game, based on the CHSH inequality [30]: 
the only way using quantum resources to win the game as predicted by Tsirelson's bound is to 
use a strategy close to the optimal one for independent and identically distributed states, that 
is, applying the optimal measurements on copies of a two-qubit maximally entangled state. This 
theorem provides a security proof for DIQKD based on the CHSH inequality. Unfortunately, the 
security proof does not resistant any constant amount of noise. While this work was completed, 
Vazirani and Vidick gave a universally composable security proof of DIQKD against arbitrary 
attacks [15]. Their protocol, based again on the CHSH inequality, is both reasonably efficient 
(the key length scales linearly with the number of measurements) and tolerant to a constant 
fraction of noise. A drawback, however, is that the maximum amount of noise tolerated is of the 
order of 1%, significantly lower than the bounds obtained for protocols using n pairs of devices. 

In the present paper, we present a security proof that (i) works for only two devices, that is, 
does not require commuting measurements or memoryless devices, (ii) can be applied to generic 
DIQKD protocols based on arbitrary Bell inequalities, (iii) has the same efficiency and tolerance 
to noise than previous proofs using memoryless devices. All these nice properties, however, 
come at the price of assuming that the adversary only holds classical information. While this 
may seem a strong requirement, it can be easily enforced in any realistic implementation by 
delaying the reconciliation process, since the best existing quantum memories have very short 
coherence times [TI5]. Another advantage of our general framework is that it can also provide 
security beyond quantum theory, that is, against eavesdroppers that are only limited by the 
no-signalling principle. 

The outline of the paper is the following. We first give a brief reminder of the relation 
between non locality, that is, violation of a Bell inequality, and randomness. We then describe 
the quantum key distribution protocol and present its secret key rate. We prove the security of 
the protocol under the assumption that the eavesdropper does not have access to a long-term 
quantum memory. We conclude by briefly comparing our results with the existing security 
proofs, and discussing some rather natural follow-up questions. 

2 Nonlocality and randomness 

In the following, we consider a bipartite scenario where Alice and Bob input random variables X 
and Y in their respective devices and obtain classical outputs A and B, respectively. We denote 
Xa, Xbi ^x,Ay the sizes of the alphabets of A, B, X,Y , respectively. Moreover, we denote by 
P(a,b\x,y) the probability of getting the specific results A = a, B = b when the inputs are 
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X = x, Y = y, and P(A, B\X, Y) the vector with components P(a, b\x, y). 
A Bell inequality can be written as 



I[P(A,B\X,Y)}:= P(a,b,x,y)P(a,b\x,y)<I cl , 



(1) 



a,b,x,y 



where I c \ is the classical upper-bound. To any such Bell inequality, one can associate a bound 
on the randomness of the output A given the input X = x through a function t x such that 



Such a function can be computed using the techniques given in |31j . as explained in [21] , Without 
loss of generality, this function can be assumed to be monotonically non-increasing and such 
that — log(r x (-)) is convex. 

For simplicity, we consider the case where there exist an input-independent bound, i.e. a 
function r such that t{I) = t x {I) for all x £ Ax- Examples of Bell inequalities satisfying 
this property are: the CHSH inequality [30], the chained inequality [29], and the Collins- 
Gisin-Linden-Massar-Popescu (CGLMP) inequality [32]. Our results, however, can easily be 
generalised to cover the case of input-dependent bounds. 

3 Description of the protocol 

The DIQKD protocol that we consider in this paper is very general in the sense that it is 
compatible with arbitrary Bell inequalities, in particular with the various examples of Bell 
inequalities mentioned above. Our protocol consists of four steps: measurements, estimation of 
the Bell violation, error correction and privacy amplification. We note n the number of times 
each device is used during the protocol. 

1. Measurements. Alice and Bob respectively generate the random variables Uj, Vj £ {0, 1} 
with distribution Pr{Uj = 1} = Pr{Vj = 1} = q = n' 1 / 8 for j = 1, . . . n. If Uj = then 
Alice measures round j with input obtaining outcome Aj. If Uj = 1 then Alice generates 
Xj with uniform distribution P(xj) = 1/Xx and measures round j with input Xj obtaining 
outcome Aj. Bob does the analog with Vj, input Yj, and outcome Bj. In other words, 
events where Uj = Vj = are used to establish a raw key, while events where Uj = Vj = l 
are used to test the Bell inequality and guarantee that a secret key can indeed be extracted 
from the raw key. 

2. Estimation. Alice and Bob publish (uj,Vj) for all j, and discard the data corresponding 
to the rounds with Uj ^ Vj. The data corresponding to the m post-selected rounds 
(uj,aj,bj,Xj,yj) with Vj = Uj is relabeled with the index i = l,...m keeping the time 
order. The data corresponding to the rounds of the set £ := {i\U = Vi = 1} is also 
published and used to estimate the Bell-inequality violation. More specifically, Alice and 
Bob can use the public data to compute the following quantity: 



P(a\x) < t x (I[P{A, B\X, Y)]) for all a E X A . 



(2) 




(3) 
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Error correction. Alice and Bob publish nc bits in order to correct Bob's errors S — > S' . 
For sufficiently large nc, all errors are corrected S' = R with high probability. Note that 
some of the published bits are used to estimate how many more bits need to be publish 
for a successful error correction. For large n, publishing nc ~ nH(A\B) bits is enough. 
For more details about the functioning of error correction, we refer to [33]. 



4. Privacy amplification. Alice generates and publishes a two-universal [34] random func- 
tion F which maps R to an mr-bit string K = F(R). The number hk depends on the 
published information as 

n^:=max|o, -m log 2 r 0^- (ra 1/8 - l) I est - n~ 1/s J - n c - 2\£\ log 2 (AAA B ) - ^fn j , 

(4) 

where [7] is the largest integer not bigger than 7. Alice and Bob then compute (F(R), F(S')), 
obtaining two copies of the secret key. 



Note that if the adversary holds a quantum memory, but cannot keep it for an arbitrary 
long time, the honest parties should implement the protocol in two steps: (i) they receive 
the quantum systems from the source and perform the measurements, (ii) some time T later 
they perform the rest of the protocol involving the public communication for the estimation, 
error correction, and privacy amplification. We show security under the assumption that the 
adversary cannot keep a quantum memory for a time T. According to current and near-future 
technology, this assumption can be enforced by taking T of the order of a few minutes [19j . 



4 Security and efficiency 

To prove security, we will not make any assumption on the behaviour of the devices of Alice and 
Bob, except that they do not broadcast information about the inputs and outputs towards the 
adversary (a condition without which there is no hope of ever establishing any secret). Modulo 
this requirement, we can even assume for simplicity that the devices have been built by the 
adversary. The eavesdropper could in particular hold quantum systems that are entangled with 
the systems in the users' devices. However, our proof of security only holds under the condition 
that the eavesdropper cannot store this quantum information past the measurement step of the 
protocol. After this step, she should thus perform a measurement M on his quantum system, 
which would give him some classical information E about the behaviour of Alice's and Bob's 
devices. But since until this point no public communication has been exchanged between Alice 
and Bob, we can as well assume that the eavesdropper has performed his measurement before 
the users received their devices from the source. The fact that our proof of security holds 
independently of the behaviour of the devices, then implies that it holds independently of the 
prior classical information E that Eve holds on the devices, and we can thus forget E in the 
following. 

At the end of the protocol, Alice holds the secret key K, and Eve holds the information 
published in the estimation step W = [(Ui, . . . U m ), (A4, Bi, Xi,Yi)i & £], in the error correction 
step C = 0(R), and in the privacy amplification step F. Note that here we consider the worst 
case, where all the messages published within the error-correction step are a function 9 of Alice's 
raw key R. Let P{k, f, w, c) be the probability distribution for these random variables. 

We say that K is an ideal secret key if it is uniformly distributed and uncorrelated with all 
the rest: 

P(k,f,w,c) = 2- nK ^P(f,w,c) for all k,f,w,c. (5) 
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Note that since £ and J e st are functions of w, so is uk- It is unrealistic to expect that a protocol 
can generate an ideal secret key. Instead, what we demand is that the distribution generated 
by the above protocol is indistinguishable from an ideal secret key. It is known that the optimal 
success probability when discriminating the two distributions is |33j 



\ + \ E \P(k,f,w,c)-2 n ^P(f,w,c)\. (6) 

k,f,w,c 

The main result of this work (see the Theorem below) is to shows that 



< - + 7 e 4>"' , (7) 



Psucc 2 

where 7 is a constant and (3q = \/8\x\y T^sx. a ,b,x,y \P( a i b, x, y)\. For large n, the success 
probability ([7]) tends to 1/2, which makes the optimal discriminating strategy not better than 
a random guess. 

Let us now discuss the efficiency of the protocol in the asymptotic limit where n tends to 
infinity. For large n one expects, 

m « nPr{U = V} w n- 2n 7/8 , 
\£\ nPr{[/ = V = 1} w n 3 / 4 , 

with high probability. This gives an asymptotic secret key rate of 

Jim = io g _J__ H (A|B) . (8) 

n^oo n T (7 es t J 



This is the same rate as the one given in [13] for memoryless devices but with security against 
full quantum adversaries. 

In the case of the CHSH inequality, j3(a, b, x,y,) = (— X) a ® b ® x ' y , we define tqm and tns such 
that p(a\x) < tqm(I[P(A, B\X, Y)]) holds against an adversary limited by quantum theory and 
p(a\x) < tns(I[P(A, B\X, Y)]) holds against an adversary limited by the no-signalling principle. 
The specific values of these functions was derived in |21| I13j: 

(9) 




1 I 

= 4"4- (10) 

In Fig. [U we plot the asymptotic secret key rate as a function of the visibility of the state 
p v = u\(f)){(f)\ + (1 — z/)l/4 shared by Alice and Bob. 

5 Proof 

We now proceed with a detailed security proof for the protocol described above. Before we 
present and prove our main result which is an explicit bound on p SUC c, we need three technical 
lemmas. 

Let us introduce a more compact notation 

\ (a h bi) if »65 ' v ' 

Zi ■■= I? x ? H ! , (12) 

I (Ui,Xi,yi) if 1 e £ 
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Figure 1: Asymptotic secret key rate k vs noise 1 — v for the CHSH protocol and a state 
p v = + (1 — i^)l/4, where is maximally entangled. The upper curve corresponds to a 

quantum adversary while the lower one considers an adversary only limited by the no-signalling 
principle. 

for i = 1, . . . m. Variables with super-index i represent the chain of variables associated to time 
steps equal or earlier than i, that is t l = (t\, t%, . . . ti). Recall that the information made public 
in the estimation step is w = [u m , (di,bi,Xi,yi)i£g] and that the raw key is r = (aj)jd£. Let 
g = (a,i,bi)i e £ and note that t m = (r,g) and w = (z m ,g). 

Lemma 1. The no-signaling constraints imposed by the causal structure of the protocol imply 

P{t rn \z m ) < T m (I[t m ,z m }) , (13) 

for all (t m ,z m ), where 

1 m 

I[ t ™, z ™] ~- V/fP^,^,^- 1 ,^- 1 )] . (14) 

i=l 

Note that above, in P(Ai, Bi\Xi, Yi, z l ~ l ), the symbols A i , Bi , Xi , are upper-case while 
t % , z 1 ^ 1 are lower-case, meaning that P(Ai, Bi\Xi,Yi,t % ~ 1 , z l ~ l ) is the vector with components 
P{ai,bi\xi,yi,t % ~ 1 , z % ~ 1 ) for all values of ai,bi,Xi,yi but fixed t t ~ l ,z l ~ 1 . 

Proof. This proof is based on an argument introduced in [21]. A useful observation is that 
bound ([2]) implies 

P(a, b\x, y) < t{I[P(A,B\X,Y)\) for all a, 6, x, y . (15) 
The following chain of equalities and inequalities follows from: Bayes rule, no-signaling to the 
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future, bounds ([2]) and (|15p . and the concavity of the function log(r(-)). 

P(t m \z m ) = P{t 1 \z m )P{t 2 ,h,...\z m ,t x ) 
= P(t l \z l )P(t 2} t- i ,...\z m M) 

m 

= \\PiU\z\t- 1 ) 

i=i 

m 



< Hr^lPiA^BilXi^z'- 1 ^- 1 )]) 

8=1 

< T m (l[t m ,z m ]) (16) 



□ 

Lemma 2. The numbers \£\, I cs t, I are functions of the random variable (T m ,Z m ), and 
satisfy 

where /3 = V8X X X Y max aibtXty \P(a,b,x,y)\. 

(Here a comment is in order. Actually, I is not only a function of (T m ,Z m ) but also depends 
on the global probability distribution P(T m , Z m ). But we think of this distribution as given, 
fixed and unknown. This dependence prevents the straight generalization of the results in this 
paper to a quantum adversary.) 

Proof. The function 

f if« = 

[ P{x,y)Pr{U=l\U=V} 11 " ~~ 1 

satisfies 

T \-l-7Tl flX 1 I C* I 

£*.*<] = pffil ^ . (IB) 

and 

E^Ti.ZOIt^ 1 ,^- 1 ] =/[P(i4 < ,J3 i |X i> y ij t i - 1 J z i - 1 )] , (19) 
for all i. Consider the sequence of functions of (t m , z m ) defined by 

I 

ai (t l ,z l ) = ^^r)(ti,Zi) —E[r)(T i ,Zi)\t i ~ 1 ,z i ~ 1 ] , (20) 
i=i 

for I = 1, . . . m. The fact that 

E[a l (T l ,Z l )\t l - 1 ,z l ~ 1 ) = ai- 1 (t l - 1 ,z 1 - 1 ) (21) 

implies that the sequence of random variables ai(T l ,Z l ) is a martingale [35] with respect to 
the sequence (T/,Z/). Also, using the fact that P(x,y) = (Ax Ay)" 1 and Pr{£7 = \\U = V} = 
q 2 / [q 2 + (1 - q) 2 ] > q 2 , the differences 

|o I (t , ^)-a|_ 1 (t | - 1 ) ^ 1 )| < 2max|r ? (t,.)| < ^ max fe |/3(a 6 x, y)| =; p 

t,z (AxAy) V 
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are bounded for all values of (t m ,z m ). Constraints (|2ip and (|22|) constitute the premises for 
Azuma's inequality [35j 



Pr{a t (T l ,Z l ) > ^} < , (23) 

for any ji > 0. Using (JTHD, (HSJ) and {21]) we obtain 

m L — ' 

8=1 

= ^(|>[ti,*]-am(* m ,* ro )) 



a m (t m ,^ 



m \Pr{U = 1\U = V} 
and setting fi = q = n -1 / 8 gives (fT7|l . □ 
Lemma 3. There is a good event £/ with probability 

P(Q) > 1 - 3exp(-mn" 3 / 4 /3 " 2 ) - (\ a \bT 1£1 , (24) 

for all w; such that P(w|<5) > 0. 

Proof. This proof uses a trick introduced in [23]. The values of (t m , z m ) in the set 

gl : = {(^)|/> mp jl% = v} --»}■ (26) 

are the good ones, since Alice and Bob correctly lower-bound I (and hence nx) from the values 
\£\ and / es t determined in the estimation step. In the condition defining Q\ above, every symbol 
is a constant except for /, |<f|, / es t which are functions of (t m , z m ). Note that I also depends on 
the global distribution P(t m ,z m ), which prevents the generalization of this results to the case 
of quantum adversary. Fortunately, according to Lemma 2, the probability of Q\ is large 



P(notgi) < exp(-mn- 3 / 4 /3 ~ 2 ) . (27) 

Note the abuse of notation P(Q X ) = Pr{(T m , Z m ) G Q x }. Define the set 

Q2 ■= {w | P(Gi\w) > 1/2} , (28) 

and note that P(not £7i|not Q2) > 1/2. Using this and P(not£/i) > P(not <5i|not Q2) P(not Q2) 
we obtain P(not£ 2 ) < 2P(not<7i). 

Recall G = (A4, Bi) ie£ and note that T m = (R, G) and W = {Z m , G). Define the set 

G 3 := {(g,z m ) I P(g\z m ) > (A^Ab)^ 1 } , (29) 
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and note that 



p(notg 3 ) = E no^G/io 
< ^ p(z m ) (\ A x B r m 

g,z m 

= (AaA b )- |£| , (30) 

where we have used 1 = (A^Ag)'^. The good event mentioned in the statement of this 
lemma is Q = "Gi and G2 and ^3" , and has probability -P(<5) > 1 — P(not^i) — P(not^2) — 
P(not£ 3 ), as in ([Ml). 

We assume (g,z m ) G C/ 2 H ^3, since it is a premise of the lemma. If (r,g,z m ) ^ £/i then 
P(r|<7, z m , Gi) = 0. Hence, the non-trivial case happens for (r,g,z m ) € Gi, which we assume in 
what follows. Using Bayes rule, the definition of G2 and G3, Lemma 1, and ([26]), we obtain 



< 



P{Gi\g,z m ) 

P(r,g\z m ) 



P(G 1 \g,z m )P(g\z m ) 

< 2(X A \ B ) 2 \ £ \r m {l[r,g,z m }) 

which shows the lemma. □ 

Theorem. The distance between the secret key generated by the protocol and an ideal key is 

\p{k,f,w,c) -2- nK ^P{f,w,c)\ < 2( 1 - nl/2 )/ 2 + 6e- mn ~ 3/4/ ^ 2 + 2(A A A B r |f| . 

k,f,w,c 

Proof. Using definitions (HJ) and (|34p . Lemma 3, and ^ c 1 = 2 nc , we obtain: 
P g vL CSS (R\C;w,g) = y^maxP(r, c\w,G) 

c 

= Y^ m& x P(r\w,Q) 

c 6(r)=c 

<- \^Of\ \ \2\£\ -mf l^l^cst(g) ^,-1/8^ 

< ^2(X A X B ) It [ mP , {u = llu = v} - n 

The symbol P gucss (i?|C; w, G) denotes the knowledge of R with respect to C (see Appendix) 
when the statistics is conditioned on the events W = w and G- Next, we use the identity 

P{t m , z m ) = P{G)P{t m , z m \G) + P(not G)P{t m , z m \not Q) (32) 

with the event G introduced in Lemma 3. Noticing that (K, F, W, C) is a function of (T m , Z m , F), 
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using (|32|) . the triangular inequality, and Lemma 4, we see that 



\P(k,f,w,c)-2- n ^P(f,w,c) 



k,f,w,c 



< 



\P(kJ,w,c\g)-2- n ^P(f,w,c\g) + 2P(not0) 



k,f,w,c 



< 



P{w\G) P(k,f,c\w,g) -2- n ^P(f,c\w,g) +2P(notg) 



k,f,w,c 



< 



^2 P{w\Q) \l 2 n «WP gness (R\H; w,g)+2 P(not g) 



w 



< 



Y P{w\Q) 2( 1 -" 1/2 )/ 2 + 2 P(not Q) 



w 



2 (l- 1/2 )/2 + 6exp ( 



— m n 



^^)+2{X A \ B )-\ £ \ 



which concludes the proof. □ 

6 Conclusions 

In this work, we provide a novel security proof for DIQKD. Contrary to most of the existing 
proofs, it applies to the situation in which Alice and Bob generate the raw key using two devices. 
In particular, it does not need to assume that the devices are memoryless or, equivalently, that 
each raw-key symbol is generated using a different device. While there exist other recent proofs 
that also work without this assumption, they tolerate zero |15 |. I16 |. ITT] or rather small amounts of 
noise [18] • Another important feature of our proof is that it can also be applied to non-signalling 
supra-quantum eavesdroppers. All these advantages come at the price of making an extra 
assumption on Eve: she does not have access to a long-term quantum memory and, therefore, 
effectively she cannot store quantum information. While this may at first be considered a strong 
assumption (and is actually not needed in new security proofs for DIQKD [151 US E3 02] ) j it 
is a very realistic assumption taking into account current technology. 

The natural open question is to understand how the assumption on the memory can be 
removed within the framework presented here, or how the other proofs |15} [T6| \T7\ \18\ could be 
improved to tolerate realistic noise rates. In the case of no-signalling eavesdroppers, there is some 
evidence suggesting that the fact that Eve can store information and delay her measurement 
prevents any form of privacy amplification between the honest parties |36j . However, the recent 
results of [18] imply that privacy amplification is indeed possible against quantum eavesdroppers. 
A good understanding of privacy amplification in the device-independent quantum scenario is 
probably the missing ingredient to get robust and practical fully device-independent security 
proofs. 
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Appendix 

A random function F : 1Z — > {0, l} n is two-universal |34] if 

p r {F(r) = F(r')} < 2~ n , 

for all r, r' € 1Z with r ^ r' . The following is a simple extension of the main result in 

Lemma 4. Let R, E be two (possibly correlated) random variables where R takes values in the 
set 1Z, and let F : 1Z — > {0, 1}" be a two-universal random function [33]. The random variable 
K = F(R) satisfies 



£ \P(k,f,e)-2- n P(f,e)\ < ^2™P gucss (P|P) , (33) 

k,f,e 

where 

P g uess(P|£) = Yl max ^> e) • (34) 



Proof. Using the convexity of the square function, the fact that F is independent of R, E and 
two-universality we obtain: 



Y\P(k,f,e)-2- n P(f,e) 



< ^P(/,e)2-^2"^P(r|e)^ (r) -l N ) 

k,f,e \ r ) 



= Y e ) 2 " n ^ E ^|e)P(r'|e) ^ + 2 n - 2 l+n 

f,e \ r,r' 

= _i + 2 ^P(/, e ) (^P(r|e)P(r'|e)^ ( ( r r ; ) + ^P(r|e) s 

/,e \r^r' r 

< 2"^P(e)]TP(r| e ) 2 

e r 

< 2 n P guess (P|P) . 

□ 
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